BootKit, one of the most annoying Trojan, is ready for the next global outbreak

BootKit is a widespread Trojan that has harmed a great number of people. Recently, 360 Security Center discovered that BootKit is actively spreading again. We found that the Trojan is spreading in server systems this time. Our users stated that although they tried various methods to recover their computers from abnormal status, it was still too late. We’ve conducted a detailed analysis, and 360 Total Security has taken the lead in killing the Trojan BootKit.

Through our precise analysis, we found that this kind of Trojan spreads by invading users’ server via weak passwords of MySQL or MSSQL. Moreover, this Trojan is likely to be transformed into a ransomware in the future. To avoid attacks, if your password is not strong enough, please change the password immediately.

Analysis

C:\Windows\Temp\v.exe

Invade the server to release the file to
C:\Windows\Temp\v.exe

The Trojan file information:

Write the function:

Get the disk serial number corresponding to the active partition:

Determine the MBR partition:

Check its writing status:

Write the function after backup:

After booting up, the behavior of BootKit Trojan shows below:

The system information after booting up:

Turn on the thread loop to detect the following process, and then end the process directly:

If your computer starts slowly or your server is not working properly, please use 360 Total Security to detect the Trojan. Also, do not start unnecessary service, or it will give hackers more chances to invade your server. For the necessary service , if there is any weak password, we highly recommend to change it immediately.